Privacy Policy

Privacy Notice

Introduction

Cargilfield School (“the School”, “we”, “our”, “us”) is a company limited by guarantee (registration number SC025080) and a registered charity (registration number SC005757) located at 45 Gamekeeper’s Road, Edinburgh EH4 6HU. The objects of the School are to provide, in Scotland, the United Kingdom or elsewhere, education for boys and girls of all age groups, whether on a boarding or day school basis, to provide all appropriate educational, sporting and residential facilities for this purpose; and to promote education generally. The Board of Governors of the School takes collective responsibility for the decisions made in name of the School. However, the Headmaster of the School has day-to-day responsibility for the management and operation of the School and the care of the pupils at the School.

The School is a data controller in terms of Data Protection Law (this means, from 25 May 2018, the EU General Data Protection Regulation 2016/679, the Data Protection Act 2018 and any other legislation enacted that relates to data protection) (“Data Protection Law”). This means that the School determines the purposes for which, and the means by which, the personal data of living individuals is processed. The Friends of Cargilfield Association, as a body associated with the School, is also covered by this Privacy Notice. References in this Privacy Notice to the School include the Friends of Cargilfield Association.

Personal data means any data that relates to a living individual who can be identified directly from that data, or indirectly from that data combined with other information available to the School as a data controller. It does not include data where the identity has been removed completely (such as anonymous data). There are some ‘special categories’ of more sensitive personal data which require a higher level of protection under Data Protection Law.

Purpose of this Privacy Notice

The purpose of this Privacy Notice is to provide information about how the School will collect and thereafter process (or use) personal data about individuals including:

Employees, parents, pupils and alumni are all encouraged to read this Privacy Notice and understand the School’s obligations. The School is required under Data Protection Law to notify you of the information contained in this Privacy Notice. However, this Notice does not form part of any contract for services or contract of employment.

This Privacy Notice applies alongside any other information the School may provide about a particular use of personal data, for example when collecting data via an online or paper form. This Privacy Notice also applies in addition to the School's other relevant terms and conditions and policies, including:

• any contract between the School and its staff, or the School and parents/pupils;

• the School’s Data Protection Policy;

• the School's policy on taking, storing and using images of children;

• the School’s CCTV policy;

• the School’s Records Retention policy;

• the School's safeguarding, pastoral, or health and safety policies, including as to how concerns or incidents are recorded; and

The School reserves the right to update this Privacy Notice at any time.

Data Protection Officer

We have appointed a Data Protection Officer (“DPO”) to oversee our compliance with Data Protection Law. If you have any questions about this Privacy Notice or how we handle personal data, please contact the DPO in writing using the details below.

Data Protection Officer

Email: bursar@cargilfield.com

Address: Cargilfield School, 45 Gamekeeper’s Road, Edinbugh, EH4 6HU

Anyone who works for, or acts on behalf of, the School should be aware of this Privacy Notice and comply with the School's policies. It is important for us to ensure that the personal data we hold about you is accurate. Please help us to update our records by notifying us of any changes to your personal data by contacting our DPO.

Commitment to privacy and security of personal data

The School is committed to protecting the privacy and security of personal data and to complying with Data Protection Law. The law says that the personal data that we hold must be used in a way that complies with the following data protection principles:

• Used in a lawful, fair and transparent way.

• Collected only for valid purposes that we have clearly explained and not used in any way that is

incompatible with those purposes.

• Relevant to the purposes for which it was collected and limited only to those purposes.

• Accurate and kept up to date.

• Kept only as long as necessary for the purposes for which it was collected.

• Kept securely.

Whose personal data do we collect?

The School collects personal data relating to individuals who fall into one or more of the categories listed below. This list represents the current, former and prospective stages of each category in the list in relation to the School:

• Pupils

• Parents

• Employees

• Volunteers

• Donors

• Suppliers and contractors

• Visitors to the School, to School events and to the School’s website

Purposes and legal basis for processing personal data

Processing for the performance of a contract:

The School processes a wide range of personal data as part of its daily operations and activities. Some of the operations and activities have to be undertaken by the School in order to fulfil its legal rights, duties or obligations, including those under a contract with its staff or parents /pupils.

Processing in the legitimate interest of the School or a third party:

Other uses of personal data will be made in accordance with the School’s legitimate interests, or the legitimate interests of another person, provided that these are not outweighed by the impact on individuals and provided it does not involve special category or sensitive types of data. Examples of such interests are included below under “Examples of how we might use your information”.

Processing based on consent:

Generally, we do not rely on consent as a legal basis for processing your personal data other than in relation to sending direct fundraising communications to you via email, or in relation to the use of images of individuals on our website/social media or in promotional materials.

Withdrawal of consent

Where you have provided your consent to the collection, processing and transfer of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact our DPO at the address listed on the previous page. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to.

Change in purposes of processing

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another purpose and that purpose is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain what we consider to be the lawful basis which we are relying on to do so.

• Education/Professional data: e.g. educational records; references for pupils; exam results; disciplinary records; tutor and teacher notes; references given or received by the School about pupils or employees.

• HR data: e.g. relating to employees of the School and prospective employees; job titles; CVs; application forms; agency referrals; references given or received by the School about employees.

• Images and monitoring: e.g. of pupils, employees, parents and occasionally other individuals engaging in School activities for promotional purposes and educational purposes; images captured by the School's CCTV system (in accordance with the School's policies on CCTV and Taking, Storing and Using Images of pupils); swipe/fob records; PC login details; car details (about those who use our car parking facilities); use of email and internet.

• Relationship data: e.g. contact details for their next of kin; information about family relationships; marriage details.

We may also collect, store and use the following ‘special categories’ of more sensitive personal information about you, either: with explicit consent; to perform our duties under a contract with you; to meet some other legal obligation; or to protect the vital interests of an individual in certain circumstances. Examples of the types of special category or sensitive personal data we might process are:

• To enable relevant authorities to monitor the School's performance and to intervene or assist with incidents as appropriate

• To give and receive information and references about past, current and prospective pupils, including relating to outstanding fees or payment history, to/from any educational institution that the pupil attended or where it is proposed they attend; and to provide references to potential employers of past pupils

• To enable pupils to take part in national or other assessments, and to publish the results of public examinations or other achievements of pupils of the School

• To safeguard pupils’ welfare and provide appropriate pastoral care

• For security purposes, including CCTV in accordance with the School’s CCTV policy

• Where otherwise reasonably necessary for the School's purposes, including to obtain appropriate

professional advice and insurance for the School

• Sending updates from the school

• Invitations to events

• Offering in-house medical services

• promote academic and extra-curricular achievements

To raise the School profile or to raise donations:

• Send relevant updates on the fundraising activities of the School

• Send segmented appeals requesting donations

• Process single and regular donations

• Manage your previous donations to the School

• Submit Gift Aid claims to HMRC

For prospective, existing, or former employees:

• To manage the recruitment process

• Processing PVG application forms

• Paying salaries, pension contributions and tax

• For the purposes of management planning and forecasting, research and statistical analysis, including that imposed or provided for by law (such as diversity or gender pay gap analysis and taxation records);

• Managing leave, disciplinary actions, grievance procedures

To provide benefits of being a member of the Friends of Cargilfield Association:

• Sending information about events

• Sending the Newsletter

• Provide access to an online alumni portal

• To keep a register of pupils who have attended the School

How do we collect your personal data?

Personal data is generally collected directly from individuals, when they enter into a contract with the School or interact with the School in some way. Additional data is collated during an individual’s relationship with the school and may be sourced from third parties for certain purposes (depending on the individual’s relationship with the School).

Where is your information stored?

The School stores personal data in electronic format and in hard copy format. We have strict access policies in place, including our IT Security Policy and other associated policies, to ensure that only authorised persons can access your personal data. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. The School has put in place appropriate security measures to protect your personal data from being accidentally lost, or used, accessed, altered, disclosed or destroyed unlawfully. The School has procedures to deal with any information security incident effectively and in compliance with Data Protection Law, including complying with requirements to notify you and the UK ICO where appropriate of any personal data security breach.

How long do we retain your personal data for?

The School retains personal data only for so long as is necessary for the purposes for which the personal data was collected, including satisfying any legal, accounting or reporting requirements. To determine the appropriate retention period for personal data, we consider the volume, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. Further information can be found in our Records Retention Schedule.

Who do we share your personal data with?

We may need to share some of your personal data with third parties in order to fulfil our purposes and for those third parties to provide services to us to support our operations and activities. When we share personal data with a third party, we will always make sure that we have the necessary contracts in place to ensure the security of your personal data, that those third parties act on our instructions and do not use the personal data for their own purposes. We will only share that data in accordance with the law. All these third parties are required to take appropriate security measures to protect your personal data in line with our own policies and to comply with Data Protection law. We may also need to share your personal information with a regulator to comply with the law.

Examples of third parties we may share personal data with include:

• administrative database providers

• email marketing providers

• postal direct mail providers

• educational service (including online) providers

• HMRC

• local authorities

• pension providers

• IT services including cloud storage providers

• Medical professionals

• consultancy organisations who may analyse our data

• professional advisers

• regulatory bodies

Transfers of personal data outwith the EU

Some of our processes may require us to transfer data outside of the EU, for example, this occurs when we use a third-party processor who have servers based outside of the EU, e.g. in the USA. The European Commission has issued an adequacy decision in relation to transfers to the USA, under the EU-US Privacy Shield Framework. For transfers to third parties not covered by specific agreements such as the Privacy Shield Framework, we will always ensure that any transfers of personal data are subject to appropriate safeguards, either under adequacy decisions or binding corporate rules or standard contractual clauses put in place by the appropriate regulatory bodies.

Individual rights under Data Protection law

In certain circumstances, individuals have the legal right to:

Request access to their personal information. This is known as a subject access request. Individuals can request a copy of the personal data we hold about them and check that we are processing it in accordance with the law.

Request correction of the personal data we hold about them and have any incomplete or inaccurate data we hold about them corrected.

Request erasure of their personal data, where they consider that there is no good reason for us continuing to process it.

Object to the processing of their personal data, where we rely on a legitimate interest ground for processing and there is some reason why the individual wants to object to processing on this ground. Individuals also have the right to object to processing where we are processing their personal data for direct marketing.

Request the restriction of processing of their personal data, by asking us to suspend the processing of personal data, for example, to establish its accuracy or the reason for processing.

Request the transfer of their personal data to another party.

Contact point for you to exercise your individual rights

If you want to request access to, review, verify, correct or request erasure of your personal data, object to processing of your personal data or request that we transfer a copy of your personal data to another party, please contact DPO at the address listed on Page 2 of this Privacy Notice. Ordinarily, you will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, if your request for access is clearly unfounded or excessive, we may charge a reasonable fee for access or refuse to comply with the request.

Before you can exercise your rights as an individual, we may need to request specific information from you to help us confirm your identity and ensure your right to access the data (or to exercise any of your other rights). This may be necessary to ensure that your personal data are not disclosed to an unauthorised person.

Exercise of rights by children/pupils

The School recognises that children have rights under Data Protection Law in relation to their personal data.

For the purposes of delivering our obligations under the Parent/Pupil contract with the School, we will usually liaise with parents and share personal data of their children with them, e.g. relating to their child’s progress and behaviour, school activities and the general well-being of their child. Where a pupil seeks to raise concerns confidentially with an employee of the School and expressly withholds heir agreement to their personal data being disclosed to their parents, we may be under an obligation to maintain confidentiality unless, in our opinion, there is a good reason to do otherwise, for example, where we reasonably consider that disclosure is likely to be in the best interests of the pupil in any given circumstances, or where disclosure is required by law.

A person with parental responsibility will generally be entitled to make a subject access request on behalf a pupil, but the information in question is always considered to belong to the individual to whom the personal data relates and in some cases a mandate from the pupil may be required. In Scotland, the law presumes that a child aged 12 years or more has the capacity to exercise their rights under Data Protection Law. A pupil of any age may ask a parent or other representative to make a subject access request on their behalf. Moreover (if of sufficient maturity), the consent or authority of the child may need to be sought by the parent(s) making such a request.

Complaints

If you have any concerns over how you think we are using your personal data, please contact our DPO in the first instance at the address listed earlier in this Privacy Notice. You also have a right to complain to the UK ICO at any time about our processing of your personal data.

Personal data is information that identifies you as an individual and relates to you. This includes your contact details, as well as photos and video recordings of you.

HOW AND WHY DOES THE SCHOOL COLLECT AND USE PERSONAL DATA?

The School is keen to get in touch with its former pupils, former parents, former members of staff, and friends of the School but must ensure that when it does so it complies with the School’s Data Protection Policy and relevant legislation. The School uses personal data to support a full range of activities for our alumni and friends and to ensure that the ways in which we communicate with you, such as sending out school publications, inviting you to events, or advising you about our alumni events, are relevant and adhere to your chosen communication preferences.

The School may collect, use, store and transfer different kinds of personal data about you, including the following:

• Biographical information including your name and date of birth

• Your contact details and communication preferences

• Your education history

• Your clubs and societies affiliations and your other connections with the school

• Your professional activities and employment

• Your interests and extra-curricular activities

• Information you have publicly shared on social media

• Your family and partner/spousal details

• Your relationships with other alumni and friends

• Records of communications and interactions we have had with you

• Your attendance at school events

We will also process the following special category data:

• Information about your health

• Information about your race or ethnicity

• Information about your religion

• Information about any disabilities you may have

• Offence or conviction information

• Political affiliations

Please note that we do not collect or store any credit/debit card details.

We use different methods to collect data about you, which are explained in the Whole School Privacy Policy above.

We will only use your personal data for the purpose for which we collected it. Examples of the ways we process your data include:

• From time to time to create a profile of your interests so that we can contact you in the most appropriate way and with the most relevant information;

• We may use information about you if we need this for historical research purposes or for statistical purposes.

• We may need information about any court orders or criminal petitions which relate to you. This is so that we can safeguard the reputation of the school or the welfare of any current students with whom you may come into contact during school or alumni events.

• We use CCTV to make sure the school site is safe. CCTV is not used in private areas such as toilets.

• We may take photographs or videos of you at events to use on social media and on the school websites to help promote the school. If you have any concerns about the use of photographs and videos please contact the School Office.

SHARING PERSONAL DATA WITH THIRD PARTIES

Occasionally we may use consultants, experts and other advisors to assist the School in fulfilling its obligations and to help run our alumni services properly. We might need to share your personal data with them if this is relevant to their work but will ensure data-sharing agreements are in place before doing so, where appropriate. More details of the third parties we may share your data with can be found here.

SENDING INFORMATION TO OTHER COUNTRIES

We may transfer, store and process your personal data outside the European Economic Area. More detail can be found Whole School Privacy Policy above.

WHAT RIGHTS DO YOU HAVE IN RELATION TO YOUR PERSONAL DATA?

You have the following rights, which you can exercise by contacting us:

If information is incorrect you can ask us to correct it;

You can also ask what personal data we hold about you and request a copy. We will also give you extra information, such as why we use your personal data, where it came from and what types of people we have sent it to;

You can ask us to delete your personal data in certain circumstances. For example, where we no longer need it;

You can ask us to send you, or another organisation, your personal data in a format that can be read by computer;

Our use of your personal data may be restricted in some cases. For example, if you want us to check the accuracy of your data.

You can object to processing of your personal data you in certain circumstances.

Where we comply with a request to delete your personal data, we will need to keep the following:

Your name and years of entry and leaving alongside your request to remove your data. We will retain this information to prevent you from being inadvertently contacted in the future.

Information needed to comply with statutory requirements, but only for as long as those statutory requirements specify (e.g. Gift Aid declarations)

A coded reference may be attributed to you for reporting and accounting purposes concerning any events attended or donations made.

Further details about your data protection rights can be found in the Whole School Privacy Policy above, or alternatively you can contact our Data Protection Officer.

FURTHER INFORMATION AND GUIDANCE

If you are looking for more information about how we process your personal data including details of data security, data retention and legal bases for processing, please visit our Privacy Policy above